A few years ago, it wasn’t easy getting executives on board with the concept of operational technology (OT) security. Having finally come around to acknowledging the need for information technology (IT) security, boards and C-suite executives at industrial enterprises were then faced with the proposition of having to protect their industrial control systems. In the absence of tangible risk, many business leaders viewed this new phenomenon as a marketing ploy designed to bulge budgets with fear, uncertainty, and doubt.
Fast forward to today, when the conversation is not about whether or not to focus on OT security, but how? The experiences of WannaCry and NotPetya filled the void of tangible risk with dollar figures, downtime and derogatory headlines. Suddenly, the story was clear: the convergence of IT and OT has subjected operational environments to risks that were previously limited to business networks.
The OT risk landscape spans every industry. In fact, many organizations that claim to be IT-only are surprised to learn that they own and operate numerous OT assets like HVAC systems and elevators. However, nowhere is IT-OT convergence more pronounced than in the manufacturing and logistics sectors. To understand why, it is important to note the driving forces behind this convergence.
In managing operational performance in manufacturing environments, there is an old adage: “shop floor to the top floor.” For as long as factories and plants have produced and moved product, whether by hand or with machines, business managers have relied on key operational data flowing from the plant in order to optimize performance. Thanks to the Internet of Things (IoT), this data is now available on a real-time basis. In manufacturing and logistics, a percentage decrease in output hurts profits and could cause a ripple effect in the global supply chain. By merging sensors, big data analytics software, and industrial control systems, organizations can monitor key performance indicators in real-time. Rapid and near-universal adoption of this technology has transformed it from a competitive advantage to a competitive necessity.
The second factor driving IT-OT convergence is related to maintenance. In any operational environment, preventive and corrective maintenance is critical to maximizing uptime and minimizing downtime. Manufacturing and logistics operations are some of the most geographically distributed in the world. Therefore, it can be cost prohibitive to perform maintenance on automated control systems on-site. And with the remote access tools available on the market today, businesses are keen to reduce the personnel and travel expenses associated with maintaining their operational environment.
There is no doubt that IT-OT convergence is driven by legitimate business requirements, but it also introduces new and significant business risks.
The first and perhaps most prominent risk is best exemplified by the experiences of WannaCry and NotPetya. The convergence of IT and OT systems in the absence of network segmentation and patch management subjects organizations to collateral effects from targeted attacks. The manufacturing and logistics industries are reliant on interfacing with third parties, especially with the rapid growth of e-commerce. However, these interfaces can also represent channels through which malware can automatically transit and access operational environments.
The second risk pertains to a targeted threat scenario in which a dedicated actor exploits the interconnectivity between IT and OT systems to move laterally about the network and access a specific industrial control system. The motivation for such an operation could range from political to ideological to financial, but regardless, increasingly converged networks are likely to decrease the time and resources expended by the actor. In this case, third-party and remote access accounts are a prime focus for actors seeking to minimize their time to target.
The convergence of IT and OT systems are a natural phenomenon for companies embarking on the digital transformation journey. But like most innovations, it is not without risk. This risk is especially prevalent in industries like manufacturing and logistics with global supply chain footprints and small margins of production error. The good news is that the risk is manageable, especially if we learn from the lessons of the past.
(Dave Weinstein is the VP of Threat Research at Claroty and a non-resident fellow at New America.)